debian-12-PrisonPC.dpkg.cfg

# In Debian 9, these rules had two jobs:
#
#   1. Keep high-level ("apps") documentation, but
#      omit low-level ("internals") documentation, so
#      inmates cannot study attack surfaces.
#
#   2. Omit large non-English files,
#      so the build is about 25% faster and 10% smaller.
#
# In Debian 11 we still care about #1 but not #2.
#
# This could ALMOST go into delete-bad-files (simpler,
# but build is a bit slower and has higher peak RAM usage).
# BUT "remove /usr/share/doc except /usr/share/doc/X" cannot
# currently be expressed in the pythonized delete-bad-files.
#
# Old tickets:
# https://alloc.cyber.com.au/task/task.php?taskID=24888
# https://alloc.cyber.com.au/task/task.php?taskID=30232

############################################################
# "Internals" docs
############################################################
# Omit top-level trees entirely.
# We will opt-in to app docs under /usr/share/doc/.
path-exclude=/usr/share/man/*
path-exclude=/usr/share/info/*
path-exclude=/usr/share/doc/*
path-exclude=/usr/share/gtk-doc/*


############################################################
# Desktop Environments
############################################################
# KDE5
path-include=/usr/share/doc/HTML
path-include=/usr/share/doc/HTML/en
path-include=/usr/share/doc/HTML/en/*

# These are not under /usr/share/doc, and
# we no longer install localepurge, so
# we need not mention these at all.
#
# GNOME2 (still used in Debian 11)
#path-include=/usr/share/gnome/help
# GNOME3
#path-include=/usr/share/help


############################################################
# Individual Apps
############################################################
path-include=/usr/share/doc/dia
path-exclude=/usr/share/doc/dia/*
path-include=/usr/share/doc/dia/html

path-include=/usr/share/doc/gnucash-docs
path-exclude=/usr/share/doc/gnucash-docs/*
path-include=/usr/share/doc/gnucash-docs/gnucash-guide-en/*
path-include=/usr/share/doc/gnucash-docs/gnucash-help-en/*

path-include=/usr/share/doc/pspp
path-exclude=/usr/share/doc/pspp/*
path-include=/usr/share/doc/pspp/pspp.pdf

# Scribus needs symlinks to /usr/share/scribus/doc
path-include=/usr/share/doc/scribus
path-exclude=/usr/share/doc/scribus/*
path-include=/usr/share/doc/scribus/en

path-include=/usr/share/doc/wesnoth-*-data
path-exclude=/usr/share/doc/wesnoth-*-data/*
path-include=/usr/share/doc/wesnoth-*-data/manual.en.html




############################################################
# Firmware Allowlist/Denylist
############################################################
# We install intel-microcode for its CRITICAL SECURITY UPDATES.
# We install other firmware packages to reduce kernel logspam;
# the hardware actually works OK without it.
#
# The i915 GPU firmware ships in the same deb as some WiFi/Bluetooth radio firmware.
# Inmate kernels don't have the corresponding drivers, so
# it's not a REAL problem.  But it is tidier to remove them.
#
# See also:
# https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/
# https://wiki.debian.org/Firmware/List
# https://github.com/cyberitsolutions/bootstrap2020/tree/twb/doc/firmware-policy.csv
# https://github.com/cyberitsolutions/bootstrap2020/tree/twb/doc/debian-12-desktop.toml
path-exclude=/lib/firmware/*
path-include=/lib/firmware/amd-ucode
path-include=/lib/firmware/amd-ucode/*
path-include=/lib/firmware/amd
path-include=/lib/firmware/amd/*
path-include=/lib/firmware/intel-ucode
path-include=/lib/firmware/intel-ucode/*
path-include=/lib/firmware/intel
path-include=/lib/firmware/intel/*
path-exclude=/lib/firmware/intel/ibt-*
path-exclude=/lib/firmware/intel/ice/*
path-exclude=/lib/firmware/intel/irci_*
path-include=/lib/firmware/i915
path-include=/lib/firmware/i915/*
path-include=/lib/firmware/rtl_nic
path-include=/lib/firmware/rtl_nic/*
path-include=/lib/firmware/skl_hda_dsp_generic-tplg.bin